Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Berkeley Grads' Identity Data Stolen

timothy posted more than 9 years ago | from the practice-safe-applicating dept.

Privacy 289

yali writes "Did you get a graduate degree from Berkeley? Or maybe you just applied but didn't go there? If so, your identity may have been stolen. A laptop was stolen containing names, social security numbers, birthdates, and addresses of grad students, alumni, and applicants. University police suspect that the thief just wanted the laptop, but the irony of California's mandatory notification law is that the thief may now know they have something even more valuable. Berkeley has set up a website with information on the breach."

cancel ×

289 comments

Secret (5, Insightful)

BWJones (18351) | more than 9 years ago | (#12074942)

Personal data need to be treated as government certification of Secret documents, or at least give it Collateral classification level treatment. When personal data is checked out and allowed to be placed on laptops or other portable devices for removal from the central location where the data is stored, personal responsibility needs to be ensured and access should be confirmed by 1) need to know basis and 2) those who are trained to undergo training with confidential data.

Granted, this will not prevent all leaks as even the State Department [computerworld.com] , CIA and FBI [crimelynx.com] have had problems with missing laptops, but they are getting better about data confidentiality and security through training and implementation of protocols designed to limit leaks and unauthorized access.

Re:Secret (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#12074973)

SMEAR DIAREA SHIT ON MY LIPS

n0be (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12074949)

yeb

Why do they need the SSNs? (4, Insightful)

lecithin (745575) | more than 9 years ago | (#12074950)

This is a pet peeve and it is just getting worse.

Why does a school need our SSNs? Why does anybody outside the government?

Here in Minnesota, I need to provide my SSN now just for fishing and hunting licenses. WTF?

Re:Why do they need the SSNs? (5, Insightful)

DarkTempes (822722) | more than 9 years ago | (#12074972)

they use it as a personal identification number (which it isn't supposed to be used as but since everyone has a unique one it makes it easy for them to do it).

they don't NEED to but they CAN and so they do.

Re:Why do they need the SSNs? (2, Interesting)

anon*127.0.0.1 (637224) | more than 9 years ago | (#12075048)

But SSN's don't make very good personal ID #'s. They're not unique forever, because the government recycles them after a few years. I'm assuming the Berkeley has a fair number of foreign students, they probably have to generate some sort of artificial ID number for them... why can't they just generate an artificial ID number for all their students?

To answer my own question... they could, and quite easily. The difficulty lies in transitioning all your data systems from one ID number to the other.

Re:Why do they need the SSNs? (2, Informative)

anthony_dipierro (543308) | more than 9 years ago | (#12075171)

They're not unique forever, because the government recycles them after a few years.

Insightful? This is patently false. There are some instances of multiple people having the same SSN, but these were accidental, and not intentional, and the government will issue a new SSN for people who are in this situation.

why can't they just generate an artificial ID number for all their students?

Read my reply to the parent. The school definitely needs your SSN. It probably shouldn't be used as a primary key, since there's a (very slim) chance it's not going to be unique, and not all students will have an SSN. But don't the vast majority of foreign students have a government issued ID number already (just not to be used for employment purposes)?

Re:Why do they need the SSNs? (3, Informative)

antifoidulus (807088) | more than 9 years ago | (#12075224)

AFAIK, foriegn students do receive SSN #s, but an SSN # doesn't entitle you to social security benefits. Everyone who is not on a short term visa is required to get one. I hosted a student intern from Argentina here at my school and had to help her get all this stuff.

Re:Why do they need the SSNs? (1)

anthony_dipierro (543308) | more than 9 years ago | (#12075305)

It's basically an SSN (same format and everything), but I think it's called something different, since the people aren't entitled to social security.

That said, not everyone in the country has an SSN. I've been debating whether or not I should give one to my children (if I ever have any children), or if I should let them choose for themselves whether or not to get one. At least one disadvantage is if they don't have an SSN, you can't claim them on your taxes for stuff like the child tax credit.

Re:Why do they need the SSNs? (4, Informative)

forand (530402) | more than 9 years ago | (#12075177)

Berkeley does NOT use your SSN for your student number. It does, however need your SSN to provide you with federal financial aid and work. Since virtually EVERY grad student falls into one of these catagories they need the SSN.

Re:Why do they need the SSNs? (0)

Anonymous Coward | more than 9 years ago | (#12075182)

But SSN's don't make very good personal ID #'s. They're not unique forever, because the government recycles them after a few years.

The US Government goes through ten billion numbers fast enough to recycle them "after a few years?" I don't think people will have much trouble telling between the two people with the same SSN when one does get recycled. Do we send the check to Jim Smith born in 1977 or to Stacy Esteban born in 2204?

Re:Why do they need the SSNs? (1, Informative)

Anonymous Coward | more than 9 years ago | (#12075186)

Most schools will use an ITIN [irs.gov] assigned by the IRS for foreign nationals, because they often need to pay taxes on earnings/whatnot but have no SSN.

Re:Why do they need the SSNs? (3, Informative)

defy god (822637) | more than 9 years ago | (#12075222)

http://www.ssa.gov/history/hfaq.html

Q20: Are Social Security numbers reused after a person dies?

A: No. We do not reassign a Social Security number (SSN) after the number holder's death. Even though we have issued over 415 million SSNs so far, and we assign about 5 and one-half million new numbers a year, the current numbering system will provide us with enough new numbers for several generations into the future with no changes in the numbering system.

Re:Why do they need the SSNs? (5, Interesting)

G-funk (22712) | more than 9 years ago | (#12074974)

Because your SSN (like our TFN, or Tax File Number) is your nation ID number. Wether you like it or not, wether it's legal or not, it's still a fact. You guys have it worse than us, we seem to have the TFN for all "official" docs like government, financial institutions etc, and we have our license no for everything else, such as video cards etc. But we're still in databases all over the world, easily indexed by a small number of different "unique enough" keys.

Re:Why do they need the SSNs? (4, Funny)

ikkonoishi (674762) | more than 9 years ago | (#12075103)

#12074974, I am shocked by your assertation that my actions are being tracked by an ID number of some kind. All places should put the effort to protect our identities that Slashdot does.

Sincerly
#12072440

Re:Why do they need the SSNs? (2, Informative)

mzwaterski (802371) | more than 9 years ago | (#12075275)

If by video card you mean a card for renting movies and by "you guys" you mean US citizens, then I would say that we our pretty similar to you. Video stores generally take a driver's license number or credit card to keep on file, they don't require a social security number and I don't believe I've even been asked to provide one optionally.

Generally, social security numbers are used for things relating to schools, banking/investing/fincial activities, and government documents like tax returns.

Re:Why do they need the SSNs? (2, Insightful)

matth (22742) | more than 9 years ago | (#12074986)

I bet you don't NEED to.. just tell them you don't have one... they can't make you give them something you don't have... that's what I do.. I've never had a problem.

Re:Why do they need the SSNs? (0)

Anonymous Coward | more than 9 years ago | (#12074997)

Why does the school need and keep your SSN after nearly 30 years? Yes, they probably use it to "id" the student records if some employer inquires if you actually attended college there back in 1976. The business I'm in, all SSN's and Credit card#'s are encrypted on the disk that there stored on. That only makes it "more secure", not 100%. Our e-commerce is 100% secure since they do not keep CC# or SSN#'s in any records.

Re:Why do they need the SSNs? (0)

Anonymous Coward | more than 9 years ago | (#12074998)

"Why does a school need our SSNs? Why does anybody outside the government?

Here in Minnesota, I need to provide my SSN now just for fishing and hunting licenses. WTF?"

Are hunting and fishing license not awarded by the gouvernment

Re:Why do they need the SSNs? (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#12075080)

You fucking idiot. Is that a question? Can't you type a goddamn question mark?

Are hunting and fishing license not awarded by the (0)

Anonymous Coward | more than 9 years ago | (#12075153)

Are hunting and fishing license not awarded by the gouvernment

No they are State issued without any goverment involvement.

Re:Why do they need the SSNs? (2, Insightful)

russler (749464) | more than 9 years ago | (#12075012)

Think of how many institutions we deal with require our SSN. With Social Security supposedly going defunct in 2041 (from the headlines) do you suppose all of these organizations are going to be so forward thinking as to choose a new "key" for each of us by then? How much is it going to suck for kids in the future to be issued a Social Security Number when it's used for pretty much everything under the sun EXCEPT for obtaining Social Security benefits.

Re:Why do they need the SSNs? (2, Funny)

matth (22742) | more than 9 years ago | (#12075193)

Exactly why my kids will not be getting SSNs!

get them SSN's (2, Insightful)

Anonymous Coward | more than 9 years ago | (#12075311)

They will need one eventually.

Without an SSN you can't get financial aid. I was born on a commune near the Canadian border and didn't have either a birth certificate or SSN for many, many years.

Eventually I got the opportunity to go to Moscow. It took me almost 2 years to get a passport. Needless to say I missed the trip.

I then applied to college and got accepted. Since we are dirt poor I applied for financial aid. They promptly said, sorry you are not enlisted with the selective service. I said no shit. They said no money. I then went to enlist with the SS (selective service) and they said "who the fuck are you, what do mean you don't have an SSN, get one and come back." I finally got a SSN when I was 17 years old, enlisted Selective service, got financial aid, went to UCLA and now am your typical suburban programmer with a wife and family (my way of rebelling against being born in the fucking woods).

The moral, get your kids a SSN. Don't punish them because you hate the government.

Re:Why do they need the SSNs? (1)

dumllama (715921) | more than 9 years ago | (#12075315)

It is not going "defunct".
It will just have to cut benefits to about 75% of what is promised by the current formula.

Don't listen to the politicans, they'll say anything to get what they want.
Don't listen to the newspapers, they just repeat what the politicans say.

Re:Why do they need the SSNs? (5, Funny)

flyingsquid (813711) | more than 9 years ago | (#12075037)

Why does a school need our SSNs? Why does anybody outside the government? Here in Minnesota, I need to provide my SSN now just for fishing and hunting licenses. WTF?

Next time you apply for a license, just tell them you are John Kruptowski, 537 Cherrywood Circle, Minneapolis, Minnesota, 575-63-6216, currently applying to UC Berkeley's astrophysics program.

If you don't like that name, I got a zillion more.

Re:Why do they need the SSNs? (1)

calethix (537786) | more than 9 years ago | (#12075052)

"Why does a school need our SSNs? Why does anybody outside the government?"
I believe in many cases (e.g. student worker, financial aid recipient), they need it for tax reporting purposes.

Re:Why do they need the SSNs? (0, Troll)

mshiltonj (220311) | more than 9 years ago | (#12075092)

Here in Minnesota, I need to provide my SSN now just for fishing and hunting licenses. WTF?

We must verify your information against the Homeland Security Threat Matrix to see if you are a terrorist.

Since you have questioned the need to produce your papers on demand, you have exhibited suspicuous behavior according to our profiling specifications. Your threat rating has been raised three points.

Please report to your nearest Homeland Security office immediately for interrogation and possible re-education.

Thank you.

Re:Why do they need the SSNs? (2, Insightful)

vettemph (540399) | more than 9 years ago | (#12075348)

Score:+5 Funny?
More like
Score:+5 Scary!

You can refuse to give out your SSN (0)

Anonymous Coward | more than 9 years ago | (#12075110)

Here in Minnesota, I need to provide my SSN now just for fishing and hunting licenses. WTF?

I have done it a number of times.

Federal law mandates your SSN is a private and the only organization that can legally require you to disclose it to them is a branch of the Federal government.

Next time tell them you are not comfortable giving out that information. If they give you shit and are not a private organization ask to speak with a manager, explain to him and if he still refuses ask to speak with his manager, etc... I did this until I talked to someone at the fish and game dept to get a 5-day fishing license in Colorado. Once the guy heard from the "horses mouth" so to speak to sell me the license he apologized and sold it to me.

My father, a paranoid man, refused to give his SSN to the DMV and they refused to register his car. He waited in the lobby until he talked to the commissioner of the DMV and they promptly apologized and gave him his plates.

You don't ever have to give it out to a non-government agency but your refusal will be an inconvenience.

Re:Why do they need the SSNs? (1)

anthony_dipierro (543308) | more than 9 years ago | (#12075131)

Why does a school need our SSNs?

They definitely need it so they can file a 1098-T at the end of the year. They probably also need it so they can do a credit check on you, both to determine if they're going to admit you, as well as to determine whether or not you qualify for whatever tuition plans they offer (unless you're prepaying in cash, the school is giving you a loan). If you're a transfer student, they need it so they can verify your transcript, this could perhaps be done in another way, using your name, addresses, birth date, etc., but it's a lot easier to just see the SSN on the transcript and match it to the SSN in your profile.

Why does anybody outside the government?

The same basic reasons. Either they need it to report something to the government, to check your credit, or to match up files.

Re:Why do they need the SSNs? (1)

fuzzybunny (112938) | more than 9 years ago | (#12075304)

OK, agreed, tax & SS-related forms are legitimate.

Now: what abou the whole "credit check" thing? Let's ask a more fundamental question--why is the SSN required for this sort of thing at all? Or for transcript verification?

Simple answer: It's a unique identifier, you said it. Funny thing that, doesn't the Social Security Act specify that the SSN is not meant to be used as identification except for Social Security purposes?

You hit the nail on the head with the word "easy". It's easy. "Easy" is not always good, and in this case, it is shit. "Easy" is what made some plank store this sort of crap on a laptop, probably in Excel, probably unencrypted. "Easy" in this case is bad.

As this link [privacyrights.org] mentions, one of the problems is that there is no law _preventing_ business (including schools) from requiring this supposedly private piece of information as a precondition for delivering services, without making allowance for an alternative.

So I think in this case we can replace "easy" with "unprofessional", "lazy", "unethical" even.

Some Are Switching (1)

LighthouseJ (453757) | more than 9 years ago | (#12075197)

My school has switched from using Social Security Numbers to our unique numbering system. I can use this number in everywhere where I used to use my SSN when logging into secure sites, signing up for university classes, etc... Even my state of Virginia changed over from SSN's on the license to "Customer Numbers" which mean nothing to anyone who doesn't need to know my ID.

Re:Why do they need the SSNs? (1)

dayid (802168) | more than 9 years ago | (#12075230)

Schools need SSNs because they file paperwork for you with the government regarding the amount of "school expense" you've paid, along with tuition and the likes. They file almost as much tax paperwork with the government for every student as a bank would for a common customer (savings+checking+one or two investment accounts). It sure would make it fun for the government to get a bunch of files for "Bobby B. Brown" rather than "077-10-1199" now, wouldn't it?

That said, the fact that anyone would store SSNs on something such as a laptop just shows that they need to get smacked around a little bit.

...I also like how you say that in Minnesota you need your SSN for hunting and fishing licenses, but you argue that no one outside the government should need it. Well, do you think the money and information associated with your hunting and fishing licenses is just going to some random private organization?

No! (2, Funny)

TheSpeedoBeast (863070) | more than 9 years ago | (#12074952)

Oh, HELL no, I just applied there!

Re:No! (1)

RootsLINUX (854452) | more than 9 years ago | (#12074995)

So did I, about a year ago! Dammit, they better take responsibility (in the form of giving me a free graduate degree as compensation)! *shakes fist*

Re:No! (1)

tomhudson (43916) | more than 9 years ago | (#12075014)

That's okay. Don't worry. I can now sell you a genuine degree. Wink wink, nudge nudge.

The price is cheap and lets you get into the job market that much quicker: $5,000.00 in Doritos and Mountain Dew [tt]

Mind you, it's ALWAYS been possible to game the system to get universities to issue degrees. Records are lost, etc. It used to be that you had to go in with fake paperwork a couple of decades later, be really insistent, and walk out with your sheepskin. Nowadays, it's SO much more convenient, thanks to the internet :-)

It's easy to encrypt in Windows (4, Informative)

caluml (551744) | more than 9 years ago | (#12074958)

Windows, love it or hate it, makes it very easy to secure your data on a laptop. Just right click, and buried somewhere in there (Advanced options or something) tick the Encrypted option.
Better still, just create a directory (C:\Encrypted), and encrypt the folder, and all subdirectories.
Of course, there are issues with losing the encryption key, but as it's a laptop, and probably only has the one harddrive, I would expect the person to be keeping a backup somewhere else.

Re:It's easy to encrypt in Windows (2, Insightful)

Zemplar (764598) | more than 9 years ago | (#12075046)

"Windows, love it or hate it, makes it very easy to secure your data on a laptop. Just right click, and buried somewhere in there (Advanced options or something) tick the Encrypted option."

I'd bet your paycheck that the password to login is on a post-it stuck to the laptop's keyboard!

"Of course, there are issues with losing the encryption key, but as it's a laptop, and probably only has the one harddrive, I would expect the person to be keeping a backup somewhere else."

HAHAHAHAA! A Windows user? I wouldn't count on it!

Re:It's easy to encrypt in Windows (1)

bostonsoxfan (865285) | more than 9 years ago | (#12075109)

Don't make all Windows users sound incompetent. I am a Windows user and I have backups of all my data and most of my passwords are eight characters and alphanumeric.

The thing about this is that if you have access to the laptop, you will be able to crack it. It is just a matter of time.

They need to be more responsible for the data they collect. Why do you need to carry around thousands of SSN and nearly enough information to steal their identities.

Re:It's easy to encrypt in Windows (1)

silconous (636675) | more than 9 years ago | (#12075121)

It's also really easy to crack windows encryption there's a couple of linux cd's that will crack the sam file on a windows box, you get the admin password you get the data. Local admin is the default recovery agent in windoze. So using windows encryption would only prevent the data from being accessed in about 10 min.

Re:It's easy to encrypt in Windows (1)

defy god (822637) | more than 9 years ago | (#12075205)

from the article though, it is assumed that the person who stole the laptop did not know it contained such private information. most thefts are usually for the property itself (ie the laptop, the desktop, etc) and thieves don't actually care what's on the hard drive. if things like this were encrypted, then i highly doubt they would bother using a linux live cd or other tools to try and crack encryption. most of the time the laptop will be sold out of someone's trunk and the new user will not even realize what data they have on their new computer. fixing many computers, i've seen some people have data, settings, etc that obviously did not belong to them.

Re:It's easy to encrypt in Windows (0)

Anonymous Coward | more than 9 years ago | (#12075361)

It's also really easy to defeat that crack you mention: Enable the local security policy item labeled, "Do not store LAN Manager hash value on next password change" and then change the account password. While the Linux-based crack utilities you allude to will allow you to reset the account password to blank, you will not have access to the hash value of the secret key passphrase necessary to decrypt the Encrypted File System object(s). Obviously the strength of the secret key passphrase still determines the relative security vs. cryptographic attack/analysis, but it defeats the script-kiddie level attack you mention.

JEWS DID WTC! GNAA ARE BLACK LOSERS. (-1, Troll)

Anonymous Coward | more than 9 years ago | (#12075062)

This is useless. Windows file encryption is only a deterrent...

Re:It's easy to encrypt in Windows (2, Informative)

tmasky (862064) | more than 9 years ago | (#12075145)

With Win2k, maybe XP too, you need to download a special pack to get the 3des cipher if your copy is from outside the US. IIRC, this isn't even the default cipher. Plain DES is! (which is very insecure ;))

Screw encrypting stuff with 3des =/ Laptop power is precious enough as it is.

Re:It's easy to encrypt in Windows (1)

caluml (551744) | more than 9 years ago | (#12075231)

I assume that the person that stole the laptop wasn't targetting it - they just had a quick browse (maybe it auto-logged in a la XP), and went "Wahey, a nice spreadsheet full of gumpf - maybe I can sell this." I'm sure single DES would have stopped them.

Re:It's easy to encrypt in Windows (2, Insightful)

canuck57 (662392) | more than 9 years ago | (#12075160)

Windows, love it or hate it, makes it very easy to secure your data on a laptop

I am not sure Windows has anything to do with it as any OS supports crypto, the question is why did an application designed to hold social security numbers on a insecure PC not encrypt the data store?

Users will not do anything they do not have to. An encrypting/decrypting files leave copies of data un-encrypted on the disk. So blaming the user is not it either.

I would blame whomever aquired and authorized the use of the software (even if it is the user). This application was not designed for this type of use. And how did the data get on the laptop? Likely unencrypted ftp or perhaps a insecure CIFS share where the passwords are routinely cracked.

And how much spyware did the use load on the system?

Far too few are really too interested in security. For many it is lip service as they continue to practice careless computing.

idiots (5, Interesting)

Mr. Underbridge (666784) | more than 9 years ago | (#12075201)

I am not sure Windows has anything to do with it as any OS supports crypto, the question is why did an application designed to hold social security numbers on a insecure PC not encrypt the data store?

Something tells me the whole thing was on Excel.

There is absolutely no reason to have anything like this on a laptop. If there is some reason one would need the information from a laptop, you can access it from a server using a client that won't make a local copy. Ridiculous.

Re:It's easy to encrypt in Windows (4, Informative)

Wingsy (761354) | more than 9 years ago | (#12075195)

Just as easy if not easier in OSX. Created an encrypted disk image (AES 128 bit) where the files are to be kept and do not put the pw in the Keychain. I'd trust encryption on a Mac a zillion times more than on Windows.

Re:It's easy to encrypt in Windows (1)

jocknerd (29758) | more than 9 years ago | (#12075343)

Or you could just encrypt your entire home directory with File Vault. I'm doing this in Panther on my iBook with no problems. Of course, you can still make an image thats encrypted with AES128 inside of your home directory thats been encrypted.

Wow... (4, Funny)

InterruptDescriptorT (531083) | more than 9 years ago | (#12074961)

Talk about your OpenBSD (Berkeley Social Data)...

Re:Wow... (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12074992)

TALK ABOUT BALLS IN MY ASS

Re:Wow... (-1, Troll)

ikkonoishi (674762) | more than 9 years ago | (#12075211)

Meh its not like those Berkley hippies have anything other than pot and pizza money anyways.

Privacy (4, Insightful)

Tom (822) | more than 9 years ago | (#12074985)

Let's hope the sheer amount of identify theft problems will spearhead a push for more privacy protection.
I don't just mean everyone gathering less personal information, I also mean making sure that what they do gather is adequately protected. You have a resonsibility to your clients, customers, whatever.

Re:Privacy (2)

tuxette (731067) | more than 9 years ago | (#12075077)

You may want to use the EU Personal Data Directive (95/46/EC) [cdt.org] as a starting point. But even the Directive has its weaknesses...

Re:Privacy (1)

Tom (822) | more than 9 years ago | (#12075331)

The problem here being that

a) the US (where most of these problems happen) is not a member of the EU
b) the US has put immense pressure and bought/bribed some politicians in the EU to bypass the EU directive, even where it would apply to US businesses (i.e. transfer of data from EU to the US).
I say bribed because the affair (about a year ago) was quite similar to what's happening with the software patents right now - only insanity or bribery can explain the behaviour of some key persons.
If I recall correctly, there was even talk of criminal prosecution of the responsible EU director, but I fear like all such things nothing came of it once it had dropped out of the public interest.

The real problem: unchangeable passwords (5, Interesting)

pocari (32456) | more than 9 years ago | (#12074990)

The real problem is that banks, credit bureaus, and schools are allowed to continue to pretend that knowing someone's SSN and birthdate is proof of anything.

It seems like this could be solved with a public database of SSNs and birthdays. Once you list yourself, you can tell credit bureaus and banks that this information has been widely published, and therefore anybody who acts like it's a secret is negligent. Civil disobedience for the information age.

I am too chicken to go first, though.

Re:The real problem: unchangeable passwords (2, Interesting)

anthony_dipierro (543308) | more than 9 years ago | (#12075071)

The real problem is that banks, credit bureaus, and schools are allowed to continue to pretend that knowing someone's SSN and birthdate is proof of anything.

Schools maybe, but what bank or credit bureau does such a thing?

It seems like this could be solved with a public database of SSNs and birthdays. Once you list yourself, you can tell credit bureaus and banks that this information has been widely published, and therefore anybody who acts like it's a secret is negligent.

I am too chicken to go first, though.

The problem is, you'd probably be negligent for listing yourself in such a database.

If you really want to make harder to get a loan, just call up the three credit bureaus and tell them that your identity was stolen. They'll put a note on your credit report and you basically won't be able to do anything by phone any more.

I fail to see how this is a good thing, though.

Re:The real problem: unchangeable passwords (2, Interesting)

pocari (32456) | more than 9 years ago | (#12075096)

As an individual act, it is foolish. Which is why I am chicken. You cannot boycott the bus system by yourself and expect change. But if enough people did it, businesses would be forced to figure out something else. You can't put a note on everybody's credit report and expect the system to run smoothly.

Re:The real problem: unchangeable passwords (2, Interesting)

matth (22742) | more than 9 years ago | (#12075228)

I have been "bucking" the system for years... the only people who have my SSN are my bank, my employer, the IRS, and my college (due to some horrible mixup that occurred when my parents gave them my number back in my youth.. however I got the school to generate a number for general use.. but they refused to remove my SS from the database)..

But.... I've happily gone around not giving out my SSN.... Given Blood, etc, etc... just say "sorry, I don't have one".

Re:The real problem: unchangeable passwords (1, Interesting)

Anonymous Coward | more than 9 years ago | (#12075233)

Never bothered to post before, sorry for the AC.

Have a system where US citizens (Gotta HAVE a SSN) fill out a bunch of such data, and then it's hidden.

Gone, invisible. Noone else can see it.

Untill, lets say, a million people sign up.

See? Noone has to be the chicken.

And you better encrypt that system ;-)

Re:The real problem: unchangeable passwords (1)

anthony_dipierro (543308) | more than 9 years ago | (#12075260)

But you're assuming it's a bad thing in the first place. If someone wants to give someone a loan without first checking that they actually are who they say they are, why should I care just because they say they're me? Sure, up to a year later I'll notice a false statement on my credit report, and I'll have to make a phone call or 2 to get it removed, but ultimately the person who really gets screwed over is the person who made the loan in the first place.

There's enough disincentive against banks in just blindly giving away this information. The only part that's really going to hurt you is if your bank is willing to give out your other sensitive data (like your balances or your last checks paid) to someone who just gives your SSN. Yeah, that might suck if you're hiding that information for some reason, but not all banks are that lax with their information. If your bank is, maybe it's time to have a chat with them, and/or get a better bank.

Re:The real problem: unchangeable passwords (1)

bblfish (683646) | more than 9 years ago | (#12075250)

I completely agree. The banks and all these instituations should be penalised for using such numbers as proof of identity.

Private institutions such as banks or the government should instead be giving out kryptokeys (also knowns as token cards) that give unique one time time-limited
passwords to proove the person's identity.

That is what we had when I worked at AltaVista. At Sun they have exactly the same system, and I believe most security conscious institutions work that way. I would be really surprised if the technology is not far enough that one cannot now get such a display embedded on a credit card.

Biometrics (5, Interesting)

failure-man (870605) | more than 9 years ago | (#12075002)

With all this personal data getting stolen (and the tinfoil crowd will hate this) the only way to avoid a complete infoclypse may be to actually appear somewhere in person and have your identity biometrically certified when you apply for credit.

These leaks aren't gonna go away, so we'd better start finding ways to make them irrelevant. Sure, it'd be inconvenient and raise privacy concerns, but I'd rather have my prints on file than have my bank accounts cleaned out and credit ruined with little, if any recourse, solely due to someone else's blunder.

Re:Biometrics (1)

tuxette (731067) | more than 9 years ago | (#12075148)

Riiiiiiiiiiight. Until someone decides, just for a cheap thrill, to mess around with the databases matching people to their biometric data. (Among the many things that can easily happen to fuck everything up.) Then the fun really begins!

Re:Biometrics (0)

Leadhyena (808566) | more than 9 years ago | (#12075237)

If anything, the original thief doesn't have the laptop by now... he probably hawked it for cash the firsh chance he got. I bet you that the original thief is kicking himself right now while the trafficker is salivating over his newest purchase.

Re:Biometrics (1)

Sierpinski (266120) | more than 9 years ago | (#12075345)

I have to agree. Instead of trying to protect information like our SSNs (which will never happen) we should instead make it more difficult to apply for these credit/life ruining things, like credit cards, loans, whatever. I have a little trashcan on the inside of my front door that all of the credit card applications, mortgage applications, and anything else that is more than a 'To the Resident At...' letter. Those get shredded, then incinerated.

How honest do you think all of the waiters/waitresses are in the country? You don't think that no server has ever written down or somehow captured your credit card number before charging your meal to your card? Even worse, they also have that little 3-4 digit number that verifies that you actually own the card.

Recently while making an online purchase, I was asked to provide that number. I instantly thought that if I gave that number away to someone else, then THEY would have that number, as well as all the information that I provided to bill me. The caveat is that I wanted them to charge me, but how do I know that my CC information isn't in some waiting-to-be-hacked database somewhere?
I don't, so I check my statements rigorously to make sure that there are no charges on there that I don't know about. Since our bank offers online banking, I don't have to wait until the end of the month see what's happening.

The problem with this whole situation is not that poeple's information is being leaked to/stolen by dishonest people, its that those people have way too easy of a time USING that information for their own benefit. Make it more difficult to USE this sensitive information, and the information will become less sensitive.

I've never seen a cop show or heard about a court case where they convicted someone based on what their SSN was, but they use fingerprints for that all the time. Why should this be any different.

Great (2, Interesting)

baadger (764884) | more than 9 years ago | (#12075008)

[/blockquote][I]...but the irony of California's mandatory notification law is that the thief may now know they have something even more valuable[/I][/blockquote] And in another twist of fate the theif is a hardcore slashdotter.

Re:Great (0)

Anonymous Coward | more than 9 years ago | (#12075164)

I was going to mention something to that effect: The theif may not know he has all this, but by everyone jumping up and down about how bad it is, he may be better informed.

I haven't had my coffee and NPR yet to find out whether this has hit the real news circuits.

I know! (1)

starmang (661689) | more than 9 years ago | (#12075016)

Just give everyone affected a new SSN!

Identity data stolen from a private university (0)

Anonymous Coward | more than 9 years ago | (#12075027)

If the headline were about a state university or a community college instead of Berkeley, the Slashdot Losertarians would be coming out of the woodwork claiming "That's why we need to abolish these 'unconstitutional' colleges". Since it is about a private University, the Losertarians probably won't say a word here about it "except, perhaps that California's mandatory notification law is 'unconstitutional' and should be abolished". Maybe they don't want people to know that maybe they're wrong about privatizing everything?

Re:Identity data stolen from a private university (2)

tuxette (731067) | more than 9 years ago | (#12075035)

UC-Berkeley is a state university.

Re:Identity data stolen from a private university (3, Informative)

Muttley (53789) | more than 9 years ago | (#12075049)

umm, sir, Berkeley is a State University... University of California. It in fact might be one of the best public universities in the country, alongside UT Austin, UW Seattle, Georgia Tech, and that probably wraps up my knowledge of US Public Universities.

Trivia - who is the highest paid state official in California...?
The coach of the UCLA Football team.

Re:Identity data stolen from a private university (1, Offtopic)

silconous (636675) | more than 9 years ago | (#12075149)

Should be the USC football coach he wins more games.

Re:Identity data stolen from a private university (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#12075159)

You're so fucking stupid that you don't even know the difference between a private University and a Public university. That, along with the Lax security at Berkeley that allowed someone to steal the data and, yes it's unconstitutional, why ALL "State Universities and Community Colleges". I think that the Businesses should wake up and only allow graduates from the Private Colleges, as they do a much better job at teaching a student to think and think "Outside the box, not what to think.

On a side note, someone can get into a Private college even if they don't have enough money. There are loans and scholarships, not to mention they need to have a job. If someone doesn't make it into a Private college, then they are too fucking stupid to exist and should work at a restaurant for the rest of their miserable lives . That way they either don't reproduce just so they can make ends meet, or they fucking starve if they choose to reproduce.
______________________________________ _____
A vote against a Libertarian candidate is a vote
to abolish the Constitution itself.

Wow... (2, Funny)

jpiggot (800494) | more than 9 years ago | (#12075029)

..and the irony of the theft...is that pot dealers are anixously bidding for the laptop on Ebay, for a chance to sell weed to more than enough smokers needed to put that down payment on that cool 50ft motoryacht they've been wanting.

I kid because I love. What other university lets you major in "crispy" ?

Yeah, but what's the thief gonnado with it? (2, Insightful)

91degrees (207121) | more than 9 years ago | (#12075034)

Identity information is only useful to people who know how to perpetrate identity theft. If this crook knew how to do this the chances are he'd already have looked. And he has to realise that it is the laptop he stole.

It's a problem if he knows this and knows someone who knows what to do with the data, but at least with disclosure the victims know they are at risk.

My identity stolen? (1, Insightful)

anthony_dipierro (543308) | more than 9 years ago | (#12075036)

No, my identity may have been copied, but my identity certainly wasn't stolen.

Re:My identity stolen? (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12075097)

well when you keep getting hounded by creditors, lose your house, cant use any credit cards, you bank account is empty, etc. you identity wont seem like yours anymore.. therefore its stolen

I don't believe it (0)

Anonymous Coward | more than 9 years ago | (#12075051)

Can someone post all stolen data here for proof?

Re:I don't believe it (0)

Anonymous Coward | more than 9 years ago | (#12075065)

It's not theft, it's copyright violation ;-)

Can you say "Irony" (5, Interesting)

tomhudson (43916) | more than 9 years ago | (#12075060)

SISS, UC Berkeley - Social Security, Driver's Licenses, and California ID Cards [berkeley.edu]
Social Security Number Safety

Although a SSN is only meant to be used for tax and government purposes, it is often used by financial institutions, businesses, and others as a unique identification number. Because the SSN is a unique ID, it is often the target of "identity theft". Therefore you should be very careful about where and to whom you give your SSN.

  • Never carry your Social Security card or number with you. Keep it at home in a secure place.
  • Only give your SSN to someone who has a specific and legitimate need for it.
  • Be very careful with any forms, applications or other materials that may have your SSN on it.
  • Never give your SSN to someone who phones you. You should initiate the call or meet in person.
  • Never reply to email or web sites that request an SSN.
Gee, too bad they don't follow their own advice to "be careful". Guess they haven't quite gotten the hang of that "intarweb thingee" yet.

Why does the notifcation have to be public? (4, Interesting)

vrimj (750402) | more than 9 years ago | (#12075063)

Unless they have no idea what specific data was involved why not just send these people a letter?

As I read the law personal notifcation is not only allowed it is prefered. The complants about "now the theves know they have something valuable" seems like it is more a result of the choice to hold a press conferance and save the cost of a lot of stamps.

Re:Why does the notifcation have to be public? (2, Interesting)

WebHostingGuy (825421) | more than 9 years ago | (#12075130)

I think it really doesn'y matter. As soon as someone gets the notification someone will tell the press. Also, by releasing it out you control the story and timing. There is no way a story about a large university losing this data would stay out of the media.

At Least It's Not Arrogance (5, Interesting)

mirio (225059) | more than 9 years ago | (#12075086)

Well, during my undergrad years at an unnamed university...oh what the hell...The University of West Georgia [westga.edu] , I worked in the ITS department on campus which was responsible for all the applications in our internal system called Banner (a big freaking waste of money for an Oracle Forms application..but that's another discussion for another day).

Anyway, my role was to prepare reports for various people around campus. For example, if a student organization required a given GPA for membership, their faculty advisor could request a report of all students meeting the criteria.

The thing that most amazed me when I started working there was the complete lack of respect for people's social security numbers and birthdays. Any professor on campus could get pretty much any information he or she wanted.

Even more brazen than this activity was the infrastructure on campus. Every user ran their applications over a telnet session. Yes....telnet. I demonstrated to my boss how easy it was to run a packet sniffer and catch social security numbers as they went across the wire..but all my concerns fell on deaf ears. I also showed them how SSH could be used as a direct replacement for telnet but again...no one seemed care.

I then wrote a letter to the editor of the University's only newspaper describing the lack of respect for peoples' personal information, but the letter was never published. When I e-mailed the student editor and asked why my letter wasn't published, she said she was asked by the administration not to run it.

I graduated in 99 so I'm not sure if any changes have been made. I would love to know.

Re:At Least It's Not Arrogance (2, Interesting)

emotionus (657937) | more than 9 years ago | (#12075143)

I'm a undergrad student now. Currently not declared.

Anyways, who should I go talk to? I also know a CS gradstudent here.

I could give my liberal hippy friends soemthing to protest about on campus.

Re:At Least It's Not Arrogance (1)

EmagGeek (574360) | more than 9 years ago | (#12075226)

ARRRRRGH!!! BANNER!!!! I remember that big, ugly whore of a database from my days at another unnamed university... oh hell, the Georgia Institute of Technology [gatech.edu] . In fact, after I saw your post, I logged into my banner account (I graduated in 1999) and checked out my grades... hah...

Re:At Least It's Not Arrogance (2, Interesting)

Skater (41976) | more than 9 years ago | (#12075344)

When I was a teaching assistant at the University of Georgia, we were given the SS# of every student in our class. I never once used them, and I would've strongly preferred not to have them at all. Also, we were never given anything saying, "Hey, this information is confidential and should be treated with care." (I know that's obvious to you and I, but it's not obvious to everyone.)

The only reason I could see for us having SS# was that without them we were relying on names to be unique within a given class of 30 people - a problem I didn't run into in 2 years of being a TA. But a simple unique student ID would serve that purpose as well - and the last few digits of that could be read aloud without any risk to distinguish the two students on the first day of class.

For basic stats classes (STAT 200, later 2000), we also had them fill out their SS#s on the scantron forms.

Too much (2, Interesting)

QuietLagoon (813062) | more than 9 years ago | (#12075087)

Why was that amount of personal data allowed to be on a laptop in the first place?

Re:Too much (3, Insightful)

tuxette (731067) | more than 9 years ago | (#12075124)

I was about to ask the same thing.

What a lot of "security officers" seem to neglect is that an important part of security is to make what one would want to steal physically difficult, even impossible, to do so. This would perhaps work as a last resort against other stupidities such as forgetting to encrypt or letting non-authorized persons in a restricted zone.

Incidentally, a laptop doesn't even need to be stolen. Call any train station or airline and ask them how many laptops are forgotten each day. Each week. Each month.

Nobody raises an eyebrow when they see someone carrying a laptop on a university campus. Someone trying to haul a big machine would draw more attention.

My college, too. (1)

Short Circuit (52384) | more than 9 years ago | (#12075089)

Late last year, GRCC [grcc.edu] had three laptops stolen from the Payroll department. To get there, you have to go to a specific hallway, on a specific floor, in a specific building.

Methinks it was a targeted effort.

Re:My college, too. (1, Funny)

OneSmartFellow (716217) | more than 9 years ago | (#12075165)

Surely to get into any room in any large building one must go to a specific hallway, on a specific floor.

Does this mean all theft from all large buildings is targetted ?

Re:My college, too. (1)

Short Circuit (52384) | more than 9 years ago | (#12075216)

During a vacation period, when nobody's supposed to be around? When only that department is burglarized?

It's not easy to find that department, if you haven't been there before. It's not on the ground level, or on the same level as any of the skywalks into the building.

Why all on a latop? (5, Insightful)

WebHostingGuy (825421) | more than 9 years ago | (#12075093)

Why was all of this on a laptop?

Sensitive information should be placed in a central repository and then encrypted and guarded. The mere fact that someone can download this to a laptop shows that their mindset is that this information is just normal stuff like a word document. Before you can have true security organizations need to get this first.

Re:Why all on a latop? (2)

wrenhunt (704610) | more than 9 years ago | (#12075128)

Exactly! The media is missing the point here too that not only that data was taken, but why was all this stuff on a laptop in the firstplace?

Re:Why all on a latop? (0)

Anonymous Coward | more than 9 years ago | (#12075321)

They probably figured that was an obvious conclusion that didn't need to be pointed out.

Maybe the law should require that people who manage sensitive personnel data need to have IQs of at least 90.

Copycat thief, or wiley hacker again? (1)

Dossy (130026) | more than 9 years ago | (#12075134)

Maybe the laptop thief was actually the same wiley hacker at Harvard Business School [boston.com] .

California Universities (3, Interesting)

That's Unpossible! (722232) | more than 9 years ago | (#12075330)

Is it just me, or is this like the third story of personal information being stolen from California universities recently? WTF is going on over there?

As an aside, my girlfriend lives in California, and someone opened a credit card in her name soon after she had sent in applications to several California universities applying for grad school.

That's ok. (4, Funny)

RandoX (828285) | more than 9 years ago | (#12075401)

I don't use my own identity anymore anyway.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...